Public Lambda via API Gateway

• Query id: 3ef8696c-e4ae-4872-92c7-520bb44dfe77
• Query name: Public Lambda via API Gateway
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• URL: Github

Description

Allowing to run lambda function using public API Gateway
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file

resource "aws_lambda_permission" "apigw" {
  statement_id  = "AllowAPIGatewayInvoke"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.example.function_name
  principal     = "apigateway.amazonaws.com"

  # The "/*/*" portion grants access from any method on any resource
  # within the API Gateway REST API.
  source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*"
}

resource "aws_lambda_function" "example" {
  function_name = "ServerlessPerson"

  handler = "MyHandler::handleRequest"
  runtime = "java11"

  role = aws_iam_role.lambda_exec.arn
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_lambda_permission" "apigw" {
  statement_id  = "AllowAPIGatewayInvoke"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.example.function_name
  principal     = "apigateway.amazonaws.com"

  # The "/*/*" portion grants access from any method on any resource
  # within the API Gateway REST API.
  source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/test/test"
}

resource "aws_lambda_function" "example" {
  function_name = "ServerlessPerson"

  handler = "MyHandler::handleRequest"
  runtime = "java11"

  role = aws_iam_role.lambda_exec.arn
}